CVE-2025-11519
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-18

Last updated on: 2025-10-21

Assigner: Wordfence

Description
The Optimole – Optimize Images | Convert WebP & AVIF | CDN & Lazy Load | Image Optimization plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.1.0 via the /wp-json/optml/v1/move_image REST API endpoint due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Author-level access and above, to offload media that doesn't belong to them.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-18
Last Modified
2025-10-21
Generated
2026-06-16
AI Q&A
2025-10-18
EPSS Evaluated
2026-06-15
NVD
CVE-2025-11519
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
optimole optimole_wp 4.1.1
optimole optimole_wp 4.1.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is an Insecure Direct Object Reference (IDOR) in the Optimole WordPress plugin (versions up to 4.1.0). It occurs via the /wp-json/optml/v1/move_image REST API endpoint due to missing validation on a user-controlled key. This flaw allows authenticated attackers with Author-level access or higher to offload media files that do not belong to them, potentially accessing or manipulating other users' media.

Impact Analysis

The vulnerability allows attackers with Author-level access or above to offload media files that belong to other users. This could lead to unauthorized access or manipulation of media content, potentially causing data integrity issues or unauthorized data exposure within the WordPress site.

Detection Guidance

Detection of this vulnerability involves monitoring for unauthorized use of the /wp-json/optml/v1/move_image REST API endpoint by authenticated users with Author-level access or higher. You can inspect web server logs for suspicious POST requests to this endpoint. For example, using grep on Apache or Nginx logs: `grep '/wp-json/optml/v1/move_image' /var/log/apache2/access.log` or `grep '/wp-json/optml/v1/move_image' /var/log/nginx/access.log`. Additionally, monitoring WordPress user activity logs for unusual media offloading actions by authors can help detect exploitation attempts. Since the vulnerability requires authentication, checking for anomalous authenticated API calls is key. [1]

Mitigation Strategies

The immediate mitigation step is to update the Optimole WordPress plugin to version 4.1.1 or later, as this version includes security fixes that address CVE-2025-11519 by improving validation and state management in the REST API handlers. Until the update is applied, restrict Author-level user permissions if possible, and monitor API usage closely. Applying the update will enhance API key validation, error handling, and prevent unauthorized media offloading. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-11519. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart